IPv6 uptake (was: The Reg does 240/4)

• Previous message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Next message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17/02/2024, 19:27:20, "William Herrin" <bill at herrin.us> wrote:
>So it does not surprise me that a 1994 book on network security would
>not have discussed NAT. They'd have referred to the comparable
>contemporary technology, which was "transparent application layer
>gateways." Those behaved like what we now call NAT but did the job a
>different way: instead of modifying packets, they terminated the
>connection and proxied it.

And that was a very desired feature plus the address isolation,
then and for decades since. The clients IP stack was not trusted
to interact directly with external hosts.

See socks proxy too (and later Squid). It is still in use today
in some places.

There were stateful firewalls but trust was reduced when the
Firewall 1 undocumented and not unconfigurable default DNS UDP
inbound rule was discovered, it let anyone on the Internets "DNS"
packets reach any host on the inside they could guess the address
of. The "what if the product does allow packets in it is expected
not to" consideration drove having unreachable internal addressing.

Clicking on rules and assuming it is all good forever more through
product revisions was not sufficient. Every version would need a
significant re audit and probably miss any real problem.

How are people validating their firewall does what they think it
does?

brandon

• Previous message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Next message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]